Letters to the Editor

In the article “Designing and Using DMZ Networks ...”
[March 2001] Mick Bauer covered ways of securing DMZ hosts. In my
opinion he missed a simple but very efficient tool to detect
intruders at DMZ hosts or firewalls: Tripwire. It calculates
checksums for all files on the system and stores these fingerprints
in a database. Doing a compare run against this database in regular
intervals (cron), it is easy to detect changes. If somebody
modified /bin/login, /etc/passwd or installed other back doors, you
will realize it at least after the next compare run. The key is to
store Tripwire itself and the initial database on read-only media
(e.g., CD-ROM) to prevent modifications. There is no way in doing
the same with diff, as mentioned
in the article.

Another issue is the design of the DMZ shown in Figure 2. I
wouldn't recommend having all hosts in a single DMZ. If you are
using three different boxes for doing the job, you should use three
DMZs as well . If one of the machines is compromised by an
intruder, he has to cross the firewall again to attack the others.
So fill up your firewall with additional NICs and use crossed
cables—you won't need a switch either.

Regards

—Markus Hogger

FAT Problems

I enjoyed Robin Rowes' article, “Debian Multiboot
Installation” LJ, March 2001, but have a
couple of points to make about it. In the part about running
rawrite2.exe, it is implied that you can't run this program from a
FAT32 partition. This is wrong; the versions of DOS that come with
Win98 (and Win95 OSR2) know about FAT32 (but not long filenames);
otherwise, they wouldn't be able to boot Windows from a FAT32
partition either. Perhaps the author had FIPS (the DOS
repartitioning tool) in mind at the time, the original versions of
which cannot handle FAT32.

A discussion of the problems with WindowsME would have been
useful. This is basically Windows98 with a flashier GUI and other
useless features, except Microsoft tried as hard as possible to
stop you from running its DOS in “real” (16-bit) mode, mainly by
nobbling the FORMAT and SYS commands and removing the options for
starting or restarting in DOS mode.

To boot to DOS in WindowsME, create a startup floppy from
Control Panel --> Add/Remove Programs --> Startup Disk. If
you reboot the PC from this floppy and select the Minimal Boot
option, you will end up at a DOS prompt from which you can change
to drive C: and run the rawrite2.exe program as instructed in the
article. Alternatively, you could get your own back on Microsoft by
nobbling the startup floppy to get CD support and a DOS prompt
without any of that Windows recovery malarkey. (The easiest way is
just to rename the AUTOEXEC.BAT file.)

Also, a lot of the pathnames in the article use
forwardslashes instead of backslashes.

—Ian Abbott

Rowe replies: You are
correct that covering WinME would have been nice. The only reason I
didn't was I don't have a copy and didn't want to buy one. Thanks
for the nice notes on how to use it. Another interesting approach
that I haven't tried is using WinImage to create the Debian
floppies. I think you are right about being able to see a FAT32
partition when booting from a newer DOS. I haven't tried that in a
long time, since I generally prefer FAT16 or NTFS partitions. I
should have created a FAT32 partition to test that, but was in a
rush to complete the article and didn't. Thanks for the correction.
I've never used FIPS. Forwardslashes are correct in UNIX or
Windows, although Windows persists in defaulting to backslashes.
Using forwardslashes everywhere is a habit I picked up in writing
portable code. Unfortunately, that only works with UNIX and
Windows. The Mac doesn't like slashes (forward or back). Darwin
will, I hope, change that. If you go to the file search box in
Win2k, for instance, and use forwardslashes, that works fine. The
one place it won't accept forwardslashes is at the DOS command
prompt.